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1  Executive  Summary 

In  the  course  of  seeking  fundamental  concepts  that  can  drive  the  study  of  cybersecurity  for 
the  many  years  to  come  —  just  like  how  concepts  such  as  confidentiality,  integrity  and  avail¬ 
ability  have  been  driving  the  study  of  security  for  decades  —  the  idea  of  Cybersecurity 
Dynamics  emerged.  Intuitively,  Cybersecurity  Dynamics  describes  the  evolution  of  cyberse- 
curity  state  as  caused  by  cyber  attack-defense  interactions.  By  studying  Cybersecurity 
Dynamics,  we  can  characterize  the  cybersecurity  phenomena  exhibited  in  the  evolution 
of  cybersecurity  state  and  pin  down  the  factors  and  laws  that  govern  the  evolution.  As  high¬ 
lighted  in  Figure  1,  Cybersecurity  Dynamics  offers  a  new  way  of  thinking  in  formulating  the 
ultimately  wanted  foundation  for  the  science  of  cybersecurity.  One  fundamental  implication 
of  Cybersecurity  Dynamics  is  that  emergent  behavior  is  inherent  to  cybersecurity.  This 
issue  has  not  been  understood,  or  even  recognized,  by  many  researchers. 
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2  Cybersecurity  Dynamics 

In  i1]  (see  Appendix  B),  we  describe  the  fundamental  ideas  behind  the  novel  concept  of 
Cybersecurity  Dynamics.  At  a  high  level,  Cybersecurity  Dynamics  describes  the  evolution 
of  global  cybersecurity  state  as  caused  by  cyber  attack-defense  interactions.  It  can 
serve  as  a  foundation  for  the  Science  of  Cybersecurity  because  of  the  following.  First,  cyber 
attacks  are  inevitable  and  defenders  need  to  know  the  dynamic  cybersecurity  states  so  as  to 
manage  the  risk  (e.g.,  using  appropriate  threshold  cryptosystems  or  Byzantine  fault-tolerance 
schemes  or  Moving  Target  Defense).  Cybersecurity  Dynamics  offers  natural  security  metrics 
such  as:  What  is  the  probability  that  a  node/computer  is  compromised  at  time  t?  What  is  the 
(expected)  number  of  nodes/computers  that  are  compromised  at  time  t ?  Such  basic  metrics 
can  be  used  to  define  more  advanced  security/risk  metrics  for  decision-making  purposes. 
Together  they  can  be  used  to  characterize  the  global  effect  of  deploying  some  defense  tools 
or  mechanisms.  Second,  cybersecurity  dynamics  offers  an  overarching  framework  that  can 
accommodate  descriptive,  prescriptive,  and  predictive  cybersecurity  models,  which  can 
be  systematically  studied  by  using  various  mathematical  techniques. 

Cybersecurity  Dynamics  was  inspired  by  ideas  underlying  the  epidemic  models  in  Biol¬ 
ogy,  ideas  underlying  the  interacting  particle  systems  in  Physics,  and  ideas  underlying  the 
microfoundation  in  economics.  However,  Cybersecurity  Dynamics  goes  beyond  them  because 
it  imposes  a  distinguishing  set  of  technical  barriers,  such  as: 

•  The  nonlinearity  barrier:  The  probability  that  a  computer  is  compromised  would 
depend  on  the  states  of  other  computers  in  a  (highly)  nonlinear  fashion.  This  can 
render  many  analysis  techniques  useless. 

•  The  dependence  barrier:  The  states  of  computers  are  dependent  upon  each  other 
(e.g.,  they  may  have  the  same  software  vulnerability),  and  thus  we  need  to  accommo¬ 
date  such  dependence  between  them. 

•  The  non-equilibrium  (or  transient  behavior)  barrier:  It  is  important  to  understand 
both  the  equilibrium  states  and  the  dynamics  before  it  converges  to  the  equilibrium 
distribution/state  (if  it  does  at  all). 

A  profound  implication  of  Cybersecurity  Dynamics  is  that  the  concept  of  emergent 
behavior  is  inherent  to  cybersecurity,  as  we  illustrate  in  [2]  (see  Appendix  C).  Emergent 
behavior  highlights  that  there  are  cybersecurity  properties  of  cybersystems  that  are  not 
possessed/implied  by  the  cybersecurity  properties  of  the  component  cybersystems  (i.e.,  the 
“1  +  1  >  2”  effect).  This  has  been  acknowledged  by  our  recent  results  [3,  4,  5,  7,  8,  9,  10,  11]. 

3  Future  Research  Directions 

The  novel  concept  of  Cybersecurity  Dynamics  opens  the  door  for  a  rich  field  of  research, 
as  demonstrated  by  our  results  [3,  4,  5,  7,  8,  9,  10,  11].  This  concept  is  unique  in  that  it 
can  systematically  and  seamlessly  incorporate  many  disciplines  in  order  to  formulate  the 
foundation  of  cybersecurity.  The  research  blueprint  outlined  in  [1]  includes  three  integral 
research  thrusts: 
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•  Thrust  I:  Building  a  systematic  theory  of  cybersecurity  dynamics. 

•  Thrust  II:  Data-,  policy-,  architecture-  and  mechanism- driven  characterization  studies. 

•  Thrust  III:  Bridging  the  gaps  between  Thrusts  I  &  II  (including  the  gaps  between 
theory  and  practice). 

We  believe  that  a  research  community  will  be  fostered  to  extensively  explore  this  innovative 
approach  for  the  many  years  to  come. 
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4  Appendix 

The  appendix  contains  the  afore-mentioned  presentation  on  Cybersecurity  Dynamics  and 
two  extended  abstracts  [1,  2],  namely: 

•  Appendix  A:  Shouhuai  Xu.  Cybersecurity  Dynamics  (presentation). 

•  Appendix  B:  Shouhuai  Xu.  Cybersecurity  Dynamics.  Proceedings  of  2014  Symposium 
and  Bootcamp  on  the  Science  of  Security  (HotSoS’14),  pages  14:1-14:2. 

•  Appendix  C:  Shouhuai  Xu.  Emergent  Behavior  in  Cybersecurity.  Proceedings  of  2014 
Symposium  and  Bootcamp  on  the  Science  of  Security  (HotSoS’14),  pages  13:1-13:2. 
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Appendix  A 


Cybersecurity  Dynamics: 

A  Foundation  for  the  Science  of  Cybersecurity 


Shouhuai  Xu 

Department  of  Computer  Science 
University  of  Texas  at  San  Antonio 
www.cs.utsa.edu/~shxu 


4/10/2014  @UNC 


One-Page  Summary  of  the  Talk 


□  Describing  one  approach  to  modeling  cybersecurity 
from  a  holistic  perspective,  w /  example  results. 

□  The  approach  is  systematic  and  promising. 

□  To  my  knowledge,  it  is  perhaps  the  only  systematic 
approach  that  has  been  exposed  to  the  public. 

□  And,  of  course,  we  are  far  away  from  where  we  can  be. 


The  Situation ...  My  Perspective 

Q:  There  are  many  compromised  computers  in  cyberspace. 
Is  that  because  attackers  are  much  smarter  than 
“defenders  +  researchers”? 

A:  Perhaps  not;  it  is  caused  by  many  “asymmetries”. 

Q:  Why  are  there  many  “asymmetries”? 

A:  Cyberspace  is  comp/a*(»complicated),  and  pretty  much 
everything  we  (“defenders  +  researchers”)  currently  do  is 
heuristic  (or  ad  hoc)  when  considering  whole-system  (i.e. 
holistic;  rather  than  building-blocks)  properties. 

Q:  What  can  we  do  to  fundamentally  change  the  situation? 


An  Initial  Observation 

Cybersecurity  is  a  (relatively)  new  subject. 

□  More  about  systems  properties,  than  about  building- 
blocks  properties  and  data/information  properties. 

□  Putting  risk  management  etc.  into  context 

Understanding  it  would  require  a  new  way  of  thinking. 

□  What  are  the  core  concepts  of  cybersecurity  (e.g.,  as 
fundamental  as  concepts  such  as  confidentiality, 
integrity  etc.  that  have  driven  research  for  decades)? 

□  What  is  the  right  abstraction  for  modeling  and  analyzing 


cybersecurity? 


For  example,  what  are  the  following  kinds  of 
things  for  the  Science  of  Cybersecurity? 


Pictures  borrowed  from  Internet 
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Further  Observation:  Many  Kinds  of 
Attacks 


Further  Observation:  Many  Kinds  of 
Defense 


Two  Sides  of  the  Same  Coin: 
The  Big  Picture^^^^ 


Cybersecurity  Dynamics  Caused  by 
Cyber  Attack-Defense  Interactions 

Push-based  attacks 
(malware,  APT  etc) 


Pull-based  attacks 
(drive-by  download) 


Proactive  defense 


Active  defense 


Other  attacks 
(insiders  etc) 


Preventive  defense 


defense 


Adaptive  defense 


Attacks 


Defenses 


C.D.  Reminiscent  of ... 

The  Art  of  War  (Sun  Tzu): 

• 

If  you  know  your  enemies  and  know  yourself,  you  can  win  a 
hundred  battles  without  a  single  loss. 

❖  Knowing  the  dynamics  makes  you  always  win! 

If  you  only  know  yourself,  but  not  your  opponent,  you  may 
win  or  may  lose. 

If  you  know  neither  yourself  nor  your  enemy,  you  will  always 
endanger  yourself. 

(English  translation  by  http://en.wikipedia.org/wiki/The  Art  of  War) 
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Cybersecurity  and  Levels  of  Abstraction 

Cybersecurity  is  NOT  to  replace  existing  body  of  security 
knowledge,  but  complementary.  It  offers  an  overarching 
abstraction  from  a  holistic  or  global-system  perspective. 


Level  of  Abstraction 

HIGHER-LEVEL 


Models  /  objects  for  study 


Connection  between  multiple  levels  of 
abstraction:  Parameters  in  macroscopic 
cybersecurity  models  are  derived  from 
microscpoic  cyber  attack/defense  tools  (e.g., 
their  power) ,  human  factors,  etc. 


Reminiscent  of  Macroscopic  Economics  vs. 
Microscopic  Economics? 


Evolution  of  Global  Security  State 

Complex  Network  based  abstraction: 

□  Nodes  abstract  entities  (e.g.,  computer) 

❖  Node  state:  green  -  secure;  red  -  compromised 

□  Edges  abstract  the  attack-defense  interaction  structure 
(system  description/representation) 


Three  kinds  of  outcomes  of  evolution  of  global  security  state 


Q:  what  are  the  governing/scaling  laws? 


Illustration:  Evolution  of  Sec.  State 


(Expected)  portion  of  compromised  nodes  w.r.t.  time 


□  This  is  perhaps  the  most  natural  cybersecurity  metric. 

□  With  information  about  the  probability  that  the  nodes  are 
compromised  at  time  t,  we  can  make  better  decisions. 
E.g.,  can  a  task  be  disrupted  at  time  t  (<  mission  lifetime) 
with  probability  at  most  p? 


Illustration:  Manipulating  Evolution 


(Expected)  portion  of  compromised  nodes  w.r.t.  time 


1 


s  \ 

/  \ 


^  N  y 

/  \  / 


Alternate  result  under 
defender’s  manipulation 


s  manipulation: 
✓  probably 
cannot  even 
measure  it 


time 

— > 
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Cybersecurity  Dynamics 


A  phenomenon-centric  new  way  of  thinking: 

□  Cybersecurity  Dynamics  is  an  abstraction  for 
understanding  and  managing  (manipulating  or 
even  predicting)  the  evolution  of  security  state. 

□  The  evolution  of  security  state  is  a  “natural” 
phenomenon  in  cyber  (and  cyber-physical) 
systems,  ranging  from  a  small  enterprise  system 
to  the  entire  cyberspace. 

□  The  evolution  of  security  state  is  caused  by  the 
attack-defense  interactions. 


Roadmap 


□  Vision  for  Cybersecurity  Dynamics  Foundation 

□  Example  Results  Towards  Fulfilling  the  Vision 
♦>  Limitation  of  Preventive  &  Reactive  Defense 

❖  Overcoming  the  Limitation  w /  Active  Defense 

❖  Optimizing  Active  Defense 

□  Challenges  Ahead:  Tackling  Technical  Barriers 
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(Potential)  Power  of  Cybersecurity  Dynamics 


□  Descriptive  power:  Understanding  the  dynamics 

❖  What  laws  govern  the  evolution  of  security  state? 

❖  Which  security  architecture  is  better? 

□  Prescriptive  power:  Manipulating  the  dynamics 

❖  How  can  we  manipulate  it  to  benefit  the  defender? 

□  Predictive  power:  Predicting  and  therefore  proactively 
manipulating  the  dynamics 

❖  What  can  and  cannot  be  predicted? 

♦>  How  can  we  quantify  the  effect  of  MTD? 
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Principle 


The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cybersecurity 


18 


°es/gns 


The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cybersecurity 


From  Network  Science  perspective, 
cybersecurity  studies  the  attack-defense 
processes  taking  place  on  top  of 
dynamic  complex  networks. 

Complex  networks  are  (arguably)  core  of 
Network  Science. 
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The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cvbersecuritv 

From  security  perspective,  by  modeling  cybersecurity 
through  families  of  functions 

f(t,  system_description(t),  a^t) . an(t),  d^t) . dm(t)), 

where  aj(t)’s  and  d,(t)’s  respectively  abstract  powers  of  cyber 
attack  and  defense  deployments,  we  can  (i)  characterize  the 
global  effect  of  Ad g  (i.e.,  deploying  a  new  defense 
mechanism)  and  (ii)  compare  security  architectures. 

In  principle,  such  f’s  exist. 

The  matter  is  how  good/close  we  can  approximate  it. 
(analogy:  approximate  solution  to  NP-hard  problems?) 


The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cybersecurity 


From  defense  operators’  perspective, 
cybersecurity  dynamics  studies  aim  to  offer 
quantitative,  real-time  decision-making  tools 
for  optimal  defense  operations  (e.g.,  control 
the  evolution  of  cybersecurity  dynamics 
towards  the  desired  destinations,  at  minimal 
cost). 

- - — — — - 

Graph 


Analytics 
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The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cybersecurity 


First-principle  models  aim  to  derive  laws  that 
govern  the  evolution  of  cyberscurity 
dynamics  and  to  understand  the  phenomena 
that  may  or  may  not  be  beneficial  to  the 
defenders  (e.g.,  Chaos). 

Observation:  Dynamical  System  is  relevant  to 
the  very  microscopic  ciphers  and  the  very 
macroscopic  cybersecurity! 


The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the  Science  of  Cybersecurity 


Data-driven  studies  aim  to  validate  model 
assumptions,  extract  model  parameters, 
characterize  the  statistical  properties  of 
cyber  attack-defense  processes  as  well  we 
cyber  attack  processes,  and  understand  the 
predictability  of  properties  of  these 
processes. _ 


The  Vision:  Cybersecurity  Dynamics 
Foundation  for  the JSciencjB  of  Cybersecurity 

Disclamer:  This  is  something  being  made, 
meaning  that  views/ideas  can  be  subject 
to  refinement  (or  even  correction). 

Note:  We  are  not  trying  to  attain  any  kind 
of  very  general  science  (e.g.,  the  failed 
attempt  at  General  System  Science) 

Rather,  we  want  a  science  for  the  specific 
domain  of  cybersecurity,  although  it  gets 
inspirations  and  supporting  techniques 
from  other  kinds  of  sciences. 

Not  overly  broad,  not  too  narrow. 
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Complexity  Science  Comes  to  Rescue  Again? 

The  (envisioned)  Science  of  Cybersecurity: 

□  Soul:  Security  (concepts) 

□  Brain:  Cybersecurity  Dynamics  (kind  of  Complexity  Science) 

□  Muscle  &  Blood:  Complex  System/Network,  Stochastic 
Process,  Dynamical  System,  Statistical  Physics,  Control 
Theory,  Game  Theory,  Statistics,  Algebraic  Graph  Theory, 
Algorithms,  Programming  Language,  etc. 

The  Science  of  Cryptography: 

□  Soul:  Security  (concepts) 

□  Brain:  Comp.  Complexify  Theory  (kind  of  Complexity  Science) 

□  Muscle  &  Blood:  Probability  Theory,  Number  Theory, 
Abstract  Algebra,  etc. 
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Research  Roadmap:  Three  Thrusts 
Towards  Fulfilling  the  Vision 

□  Thrust  I:  Building  a  systematic  theory  of 
Cybersecurity  Dynamics 

□  Thrust  II:  Data-,  policy-  &  mechanism-driven 
characterization  studies,  and  developing  (theory 
inspired/guided)  tools  for  practice  (e.g.,  managing 
mission  assurance  &  risk) 

□  Thrust  III:  Bridging  gaps  between  Thrusts  I  &  II 


Research  Roadmai 


Cyber  system  (of  systems] 

f  Thrust  I :  “Cybersecurity  Dynamics”- 


Real 

world 


j  centered  first-principle  modeling 


Richer  information 
« - 


Richer  phenomenon 


Stochastic 

Process 


Dynamical 

System 

r 


Statistical 

Physics 


Optimization: 

Control  Theory  and  Game  Theory 


A  Thrust  III:  Bridging  gaps 
V between  Thrusts  I  &  II 


Output: 

cybersecurity  laws, 
principles  etc. 


Abstract 

world 


Statistics  (including  Extreme  Value  Theory):  Obtaining 

model  parameters  and  non-equilibrium  (transient)  characteristics 

Security  architectures  and  mechanisms:  Characterizing 

their  properties  (with  respect  to  policies  and  attacks)  from  the 
perspective  of  Cybersecurity  Dynamics  models 


Output:  cyber 
defense  decision¬ 
making  tools  & 
instruments  etc. 


Thrust  II:  Data-,  policy-  and  mechanism- 


driven  characterization  studies 
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Rest  of  the  Talk:  Example  Results 

Cyber  system  (of  systems] 

f  Thrust  I:  “Cybersecurity  Dynamics”- 


Real 

world 


j  centered  first-principle  modeling 


Richer  information 
« - 


Richer  phenomenon 


Stochastic 

Process 


Dynamical 

System 

r 


Statistical 

Physics 


Optimization: 

Control  Theory  and  Game  Theory 
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Thrust  I  output: 

cybersecurity  laws, 
principles  etc. 


Thrust  III:  Bridging  gaps 
between  Thrusts  I  &  II 


Abstract 

world 


Statistics  (including  Extreme  Value  Theory):  Obtaining 

model  parameters  and  non-equilibrium  characteristics 

Security  architectures  and  mechanisms:  Characterizing 

their  properties  (with  respect  to  policies  and  attacks)  from  the 
perspective  of  Cybersecurity  Dynamics  models 


Thrust  II  output 

cyber  defense 
decision-making 
tools  &  instruments 
etc. 


Thrust  II:  Data-,  policy-  and  mechanism- 


driven  characterization  studies 


Cyber  system  (of  systems) 


Real 

world 


Publications: 

(see  http://www.cs.utsa.edu/~shxu/socs/index.html  for  more  recent  ones) 


Red  color:  used  as  examples  today  (rest  of  the  talk) 

□  Push-  and  Pull-based  Epidemic  Spreading  in  Networks:  Thresholds  and  Deeper  Insights. 
ACM  Transactions  on  Autonomous  and  Adaptive  Systems  (ACM  TAAS),  7(3),  2012 

□  A  Stochastic  Model  of  Active  Cyber  Defense  Dynamics,  Internet  Mathematics,  accepted 

□  Optimizing  Active  Cyber  Defense,  GameSec'13 

□  Characterizing  Honeypot-Captured  Cyber  Attacks:  Statistical  Framework  and  Case  Study, 
IEEE  Transactions  on  Information  Forensics  &  Security  (IEEE  TIFS),  8(11):  1775-1789 
(2013) 

□  An  Extended  Stochastic  Model  for  Quantitative  Security  Analysis  of  Networked  Systems. 
Internet  Mathematics,  8(3):  288-320  (2012) 

□  L-hop  percolation  on  networks  with  arbitrary  degree  distributions  and  its  applications. 
Physical  Review  E  84,  031113  (2011) 

□  A  Stochastic  Model  of  Multi-Virus  Dynamics.  IEEE  Transactions  on  Dependable  and 
Secure  Computing  (IEEE  TDSC),  9(1):  30-45  (2012). 

□  Adaptive  Epidemic  Dynamics  in  Networks:  Thresholds  and  Control.  ACM  Transactions  on 
Autonomous  and  Adaptive  Systems  (ACM  TAAS),  2014 

□  A  Stochastic  Model  for  Quantitative  Security  Analysis  of  Networked  Systems.  IEEE 
Transactions  on  Dependable  and  Secure  Computing  (IEEE  TDSC),  8(1):  28-43  (2011).  29 


When  the  Vision  Becomes  Real 


•  •  • 


□  Cyber  defense  operators  can  make  principled 
quantitative  decisions  (based  on  predicted  threats). 

□  We  cannot  eliminate  all  attacks  and  guarantee  zero 
compromises;  but,  as  long  as  we  can  control  the  degree 
of  compromise  below  to  a  threshold  (e.g.,  <1/3),  we  can  at 
least  manage  (i.e.,  tolerate)  them. 

□  Two  analogies: 

❖  We  cannot  prevent  all  crimes;  but,  as  long  as  it  is  low 
enough ... 

❖  We  cannot  prevent  all  people  from  being  sick;  but ,  as 
long  as  most  people  survive ... 
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Roadmap 


□  Vision  for  Cybersecurity  Dynamics  Foundation 

□  Example  Results  Towards  Fulfilling  the  Vision 
♦>  Limitation  of  Preventive  &  Reactive  Defense 

❖  Overcoming  the  Limitation  w /  Active  Defense 

❖  Optimizing  Active  Defense 

□  Challenges  Ahead:  Tackling  Technical  Barriers 
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Dynamics:  Evolution  of  Sec.  State 


>==>•••  i==> 

( o  secure  node  •  compromised  node) 

□  Can  be  instantiated  at  multiple  resolutions:  nodes 
represent  (for  example)  computer,  component,  etc. 

□  Topology  can  be  arbitrary  in  real-life:  from  complete 
graph  to  any  structure 
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Dynamics:  Push-  and  Pull-based  Attacks 
against  Preventive  &  Reactive  Defense 

[ACM  Transactions  on  Autonomous  and  Adaptive  Systems,  2012] 

G  is  called  attack-defense  interaction  structure, 
which  is  a  complex  network,  capturing  who  (or 
which  node)  can  attack  whom  (which  other  nodes). 

G  is  often  not  the  same  as  the  underlying  physical 
network  structure. 

G  always  exists,  although  obtaining  G  is  an 
important  problem  that  is  assumed  away  for  now. 

This  is  sufficient  for  characterization  studies  as  we 


Dynamics:  Push-  and  Pull-based  Attacks 
against  Preventive  &  Reactive  Defense 


Model  parameter: 

►  a:  Pull-based  infection  capability,  namely  the  probability 
a  secure  node  becomes  compromised  at  a  discrete  time 
step  because  of  its  own  activity  (e.g.,  connecting  to  a 
malicious  website  which  may  not  belong  to  G). 

►  7:  The  push-based  infection  capability,  namely  the 
probability  an  compromised  node  u  successfully  infects  a 

node  v,  where  ( u .  v )  G  E. 

►  3:  The  cure  capability,  namely  the  probability  an 

compromised  node  becomes  at  a  single  time  step. 
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Dynamics:  Push-  and  Pull-based  Attacks 
against  Preventive  &  Reactive  Defense 


(1  -  cc)(1  -  5v(t))  a,  5v(t)  1  -  p 


State  transition  diagram  for  individual  node  ve  V 

The  master  equation  of  the  nonlinear  dynamical  system  is 


where 


sv(t  +  1)  =  [(1  —  q)(1  —  <5v(t))]  sv(t)  +  @iv(t) 

iv(t  +  1)  =  [1  —  (1  —  a)(l  -  Mt))]  Sv(t)  +  (1  -  /3)/v(t)- 

Need  to  analyze:  How  does  the  probability 
that  node  v  is  compromised  at  time  t  evolves? 

Difficulty:  There  are  ~106  or  ~109  nodes! 
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Dynamics:  Push-  and  Pull-based  Attacks 
against  Preventive  &  Reactive  Defense 

Stable  equilibrium  is  perhaps  necessary  for  cybersecurity  measurement. 

Theorem: 

Caveat:  Expected  portion  of  compromised  nodes 
converges  to  equilibrium  does  not  necessarily 
mean  every  evolution  instance  behaves  that  way. 

Fundamentally  because  of  the  mean-field  analysis. 

Higher-order  moments  are  definitely  important,  but 
much  harder  to  derive  (work-in-progress). 
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Dynamics:  Push-  and  Pull-based  Attacks 
against  Preventive  &  Reactive  Defense 

Stable  equilibrium  is  perhaps  necessary  for  cybersecurity  measurement. 

Theorem: 

(a  more  succinct  sufficient  condition  under  which  the  dynamics 
will  become  stable)  Let  m  —  maxdeg(y). 

In  the  case  ,3  <  (1  —  a)(l  +  (1  —  7)m)/2,  if 


Insight:  Largest  eigenvalue  of  the  adjacency 
matrix  of  the  attack-defense  interaction  structure, 
which  is  a  complex  network,  plays  an  important 
role  in  governing  the  evolution  of  security  state. 

This  is  how  Algebraic  Graph  Theory  comes  to  play 


then  the  dynamic  system  is  globally  stable. 
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A 

Bounding  the  Equilibrium  State: 

Tackling  the  Scalability  Barrier  Analytically 

0 

It  is  hard  to  compute  the  equilibrium  state  because  of  pull 
attacks.  Can  we  bound  it? 


time> 


Theorem  3 

Let  limt_j.00/v(t)  denote  the  upper  bound  of  the  limit  of  iv(t), 
and  limt_^/v(f)  denote  the  lower  bound  of  the  limit  of  iv(t). 

Then ,  we  have  limt_^00/1/(t)  <  6 +  and  limf^^/v(t)  >  6~ , 
where 


1  -  (1  -  «){1  -  7}dee(v) 
min{l  +  5  —  (1  —  e*){l  —  -/)de6(v) ,  1} 

j  _  _  jdegM  >  g 

[  ((1  —  a)(l  —  71/)  +  1  —  (1  —  a)(l  —  otherwise 


□  ►  4  S 
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with  v  —  minjl  — 


Tackling  the  Scalability  Barrier  via  Sampling: 


How  Theory  May  Guide  Practice 


Estimating  global  state  from  0(|V|) 
localized  sensors/monitors. 
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Figure  3  :  i(t)  vs.  /avg(t) 
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Tackling  the  Scalability  Barrier  via  Constant 

Sensors  i  How  Theory  May  Guide  Practice 
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sensors 
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sensors 


Implication:  It  is  possible  to  derive  global 
cybersecurity  state  from  o(|V|)  or  even 
constant  number  of  sensors. 
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vet 
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Limitation  of  Preventive  &  Reactive  Defense 

The  Cyber  Attack  Amplification  Phenomenon: 


The  preceding  results  say  that  the  power  of  push  and  pull 
attack  is  amplified  by  a  function  of  Ai ,4  of  the  adjacency 
matrix. 

Insight:  Cyber  attack  effect  is  automatically  amplified  by 
the  network,  which  explains  one  kind  of  attack-defense 
asymmetry. 

A1>a  is  a  sort  of  communicability  or  connectivity  measure 
(needs  to  be  precisely  characterized). 


Implication:  There  is  possibly  a  fundamental  trade-off 
between  communicability  and  resilience  under  preventive 
&  reactive  defense  against  push-  and  pull-based  attacks. 


Limitation  of  Preventive  &  Reactive  Defense 


How  can  we  deal  with  the  limitation? 

□  The  straightforward  way  is  to  reduce  the 
network  radius  (e.g.,  communicability  or 
network  connectivity). 

□  An  alternative:  active  cyber  defense 
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Roadmap 


□  Vision  for  Cybersecurity  Dynamics  Foundation 

□  Example  Results  Towards  Fulfilling  the  Vision 
♦>  Limitation  of  Preventive  &  Reactive  Defense 

❖  Overcoming  the  Limitation  w /  Active  Defense 

❖  Optimizing  Active  Defense 

□  Challenges  Ahead:  Tackling  Technical  Barriers 
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Active  Cyber  Defense  Dynamics 


[Paper:  In  Internet  Mathematics,  to  appear] 

Active  defense:  Using  goodware  (e.g.,  white  worm)  or  its  like 
to  kill  malware 

►  Also  an  automated  tool  for  'clean  up”  networks 

A  cyber  system  is  again  abstracted  as  a  finite  (un)directed 
graph  G  =  (V,E), 

►  G  can  have  any  topology  and  always  exists. 

At  any  time  t,  v  G  V  is  in  one  of  two  states:  blue  (occupied 
by  defender)  or  red  (occupied  by  attacker). 

The  combat  between  attacker  and  defender  takes  place  over 
G ,  where  i/’s  state  changes  because  of  u  with  (u,  v)  G  E.  44 


he  Native  Markov  Process  Model 


The  state  of  v  at  time  t  is  random  variable  £v(t)  E  {0,  If: 


1  v  E  V  is  blue  at  time  t 
0  v  E  V  is  red  at  time  t. 


Correspondingly,  we  define 

Bv(t)  =  P(£v{t);  =  1)  and  Rv(t)  =  P(£v(t)  =  0). 

Denote  by  6C.e/?(t)  the  rate  at  which  v  changes  from  blue  to 
red  at  time  t,  which  is  a  random  variable  because  it  depends 
on  the  states  of  v's  neighbors. 

Denote  by  0v.RB{t)  the  random  rate  at  which  v  changes  from 
red  to  blue  at  time  t. 


The  Native  Markov  Process  Model  (cont.) 

The  state  evolution  of  v  G  V  is  naturally  described  by  a 
Markov  process  with  ransition  probabilities: 


P(<fu(t  + At)  =  1  &(t)) 


At  •  0v,RB{t)  +  o(At)  £v(t)  =  0 


Analysis  difficulty: 

The  scalability  barrier:  It  has  2"  states  and  is  nonlinear  in 
general! 

Approach: 

Simply  (i.e.,  approximate)  it  as  a  Dynamical  System  model 


From  Markov  Model  to  Dynamic  System  Model 

By  letting  At  — y  0,  we  have 


Ov.RB(t)  ■  Rv(t)  ~  0v.BR{t)  ■  Bv{t) 

9v,Br(^)  •  Bv(t)  —  0v  Rs{t)  •  Rv{t)- 


Via  mean-field  approximation,  we  can  replace  the  random 

■‘j  (w 

rates  Qv.BR{t)  and  9V  RR{t)  with  their  mean  values  9v.BR{t) 
and  0v.RB{t),  respectively.  Eq.  (5)  becomes  Dynamic  System: 


=  9v.RB(t)  ■  Rv(t )  -  &v,BR{t )  •  Bv(t) 
^ Rv{t )  =  9V  Br{ 0  •  Bv(t)  —  0vRB{t )  •  Rv(t). 


Figure  5  :  State  transition  diagram  of  v  E  V  (B:  blue;  R:  red) 
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One  Class  of  Active  Cyber  Defense  Dynamics 
Models 


System  (6)  is  very  general  because  9v.RB{t)  and  6V.e/?(0  can 
be  defined  via  various  combat-power  functions,  which  abstract 
the  defender's  power/capability  against  the  attacker. 

One  class  of  combat-power  function  foe(-)  :  R  [0. 1]  is: 


0 


v.RB 


(f)  =  fl 


RB 


where  fre(0)  =  0,  foe(l)  =  1,  and  fog ( * )  increases 
monotonically. 


Intuition:  The  more  blue  nodes  active-defending  against  a  red 
node,  the  greater  the  chance  the  red  node  will  be  cleaned  up. 


Four  Types  of  Combat-Power  Functions 


Type  I:  No  cyber  superiority 


Type  II:  No  cyber  superiority 


Type  HI:  Defender  has  superiority 


Type  IV:  Attacker  has  superiority 


Figure  6  :  Examples  of  com  bat- power  function  foeO) 

3  1  T  i 


a 
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Characterizing  Type  I  Dynamics  with 
Node-Independent  Occupation  Posture  Bv( 0) 

Theorem  5 

(a  sufficient  condition  for  one  party  to  occupy  the  entire 
network)  Consider  Type  I  dynamics  in  arbitrary  network 
G  =  ( y,  E)  with  parameter  a.  If  Y,ueNv  eT°)  >  °  for 
all  v  e  V,  lim^oo  Bv(t)  =  1;  if  'EueNv  Bu( 0)  <  <r  for  all 
v  £  V,  limbec,  Bv(t)  =  0. 

I  nsight  1  When  is  active  cyber  defense  useful? 

When  the  defender  is  not  superior  to  the  attacker  in  cyber 
combat ,  active  defense  can  effectively  " clean  up”  a 
compromised  network  only  after  the  defender  has  occupied 
more  than  threshold  a  portion  of  the  networks .  In  other  words , 
the  aefender  can  first  use  an  expensive  procedure  to  manually 
" clean  up”  a  threshold  a  portion  of  the  network,  and  then  use 
active  defense  to  automatically  1 clean  up”  the  entire  network.  50 


Characterizing  Type  I  Dynamics  with 
Node-Independent  Occupation  Posture  Bv( 0) 


Theorem  6 

(a  sufficient  condition  under  which  no  party  can  occupy  the 
entire  network)  Consider  Type  I  dynamics  in  clustered 
arbitrary  network  G  =  (V ,  E)  with  parameter  o.  Let 
Bv( 0)  =  a k  for  every  v  G  Vk  and  3  k  be  the  minimum  node 
expansion  as  defined  in  Eq,  (11).  If  a  k  3k  >  o,  all  nodes  in  Vk 
will  become  blue;  if  (1  —  ak)3k  >  1  —  c,  all  nodes  in  Vk  will 
become  red. 

When  is  active  cyber  defense  useful? 

In  clustered  networks,  active  defense  may  only  be  able  to 
“ clean  up"  some,  but  not  all,  clusters/portions  of 
compromised  networks. 


Insight  2 


Characterizing  Type  I  Dynamics  with 
Degree-dependent  Occupation  Posture  £^(0) 


The  proceeding  analysis  applies  to  node-independent  initial 
occupation  posture  Bv(0),  where  the  defender  does  not  play 
strategy  (e.g.,  better  defending  the  more  important  nodes). 

This  serves  as  baseline  understanding. 

What  if  the  defender  (or  attacker)  play  strategically? 

Hard  to  analyze  in  general  (because  of  the  dependence!). 

Approach:  Use  the  generalized  random  graph  model 


a 


3 
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Advantage  of  Strategic  Defender:  Bv( 0)  oc  deg(v) 

Define 

(T[Eue^(n)deg(y)]2 


threshold  — 


^  At  \2  ’  (14) 

n  EveV(n)de s(v) 

where  deg(\/)  is  the  (in-)degree  of  node  v  G  l/(n).  Theorem  8 
implies  the  following:  if  ^  >  ot  threshold,  then  lim^co  Bv(t)  1 
for  €  V(n);  if  ^  <  a  threshold,  then  lim^^  Bv(t)  =  0  for 

v  €  V(n).  Since  <  n,  we  have  a threshold  <  <?■ 


Insight  4 


When  is  active  cyber  defense  useful? 


If  (i)  the  large-degree  nodes  are  appropriately  better  protected, 
namely  that  the  probabilities  that  they  are  secure  initially  are 
proportional  to  their  degrees,  and  (ii)  the  attacker  has  not 
compromised  too  many  nodes  (more  than  1  —  ^threshold  >  1  —  cr 
portions  of  the  network),  the  defender  can  still  use  active 
defense  to  automatically  ‘clean  up”  the  networjc _ I 


Consequence  of  Strategic  Attacker: 
Rv{ 0)  oc  deg(y) 

The  blue-node  initial  occupation  threshold  is 


3  threshold  —  1 


1  -^[E^i/deg(^)] 

n  E^degM2 


(15) 


If  Y  >  P threshold ,  then  lim  t — J'OO  B»(t)  =  1;  if  f  ^  threshold  r 

then  lim^oo  Bv(t)  0. 

We  have  3 threshold  >  ^ ■ 

Insight  5  When  is  active  cyber  defense  useful? 

If  large-degree  nodes  are  compromised  with  probabilities 
proportional  to  their  degrees ,  the  defender  can  use  active 
defense  to  1 clean  up”  the  network  only  after  occupying 
(3 threshold  >  °  portions  of  the  network. 


Quantifying  Advantage  of  Strategic 
Defender/ Attacker 


Now  we  know  strategic  player  has  some  advantage: 

►  If  the  defender  strategically  occupies  the  large-degree 
nodes,  active  defense  is  still  effective  even  if  the  defender 
occupied  0 threshold  <  &  portions  of  the  nodes, 

►  If  the  attacker  strategically  occupies  the  large-degree 
nodes,  active  defense  is  effective  only  after  the  defender 
occupied  t3 threshold  >  &  portions  of  the  nodes. 

How  significant  are  the  benefits?  Can  we  quantify  it? 


Yes,  we  can  (see  paper  for  details)! 


Active  Defense  Dismisses  the  Attack  Amplication 
Phenomenon 


In  any  case,  asymmetry  disappears  with  active  defense  because 
the  largest  eigenvalue  of  the  adjacency  matrix  (indeed,  any 
other  measures)  does  not  play  any  significant  role  in  governing 
the  outcome  of  active  cyber  defense  dynamics. 


Insight  10 

Active  cyber  defense  dismisses  the  attack  amplification 
phenomenon  that  is  exhibited  by  reactive  defense . 


3 
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A  Further  Result:  Paper  in  Submission 


□  We  show:  active  cyber  defense  dynamics  exhibits  rich 
phenomena:  Bifurcation  and  Chaos 

□  Implication:  There  exists  some  fundamental  limit  on 
cybersecurity  measurementability  and  predictability. 

□  Further  Implication:  We  need  to  manipulate 
cybersecurity  dynamics  (if  possible/feasible)  to  avoid 
such  “unmanageable”  situations. 

□  This  is  how  Control  Theory  and  Game  Theory  naturally 
come  to  play  (under  the  umbrella  of  Optimization). 
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Roadmap 


□  Vision  for  Cybersecurity  Dynamics  Foundation 

□  Example  Results  Towards  Fulfilling  the  Vision 
♦>  Limitation  of  Preventive  &  Reactive  Defense 
❖  Overcoming  the  Limitation  w /  Active  Defense 
♦>  Optimizing  Active  Defense 

□  Challenges  Ahead:  Tackling  Technical  Barriers 
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Optimizing  Active  Defense 


[Paper:  GameSec’13] 


For  now,  we  assume  away  the  attack-defense 
interaction  graph  structure. 

□  Equivalent  to  "homogeneous  mixing”  assumption 
Below  is  a  highlight  of  some  model-derived  insights. 

□  Optimal  Control  and  Game  Theory  models 
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Example  Results 


Theorem  1.  Suppose  the  non,- strategic  attache?' maintains  a  fhted  degree  of  attach  power  f &  (f  H )  = 

and  h&z  <  ^(a  —  b} .  Let  i±  <  be  the  7'oots  of  F &  ( i &  )  =  0.  The  optimal  control  strategy  for  defender 


7TJ3 


0 

If 

is  < 

uh 

if 

=  i  l 

1 

if 

ii  <  <  ^2 

oh 

if 

is  =  i‘2 

n 

a  # 

‘  ^  * 

1  —i  h 
B  is: 


(7) 


wher\ 

Thee 

listed 


Let’s  look  at  their  cybersecurity 
meanings  /  implicationss. 


?s  are 
-  k  R  z . 


A-  ^  ^  C 

A\f£^  <  i  C^*-  —  *0 

O  2  1  ■<  »2  1 

O  <  2-  3  <  ^4:  <  1 

^ 

4TJ?  =  ^ 

1  ij*  ix  C  2-  ^  £0)  C  is 

1  O  i  ^  ( O )  is 

f  O  i^  ij3  £o>  <  i3 

JL  ijf^-  i  3  i^  (O) 

I  O  is  (O)  ^  *4 

A-  ^  ^  -J-  (V-t  —  t*  > 

Aj^.^  p=»  i  C^1-  —  £0 
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r  0  ijf'  i ^  (O)  <  i-3 

1  is  <  i C  O )  <  i-4 

L  O  i  f  i^  <0^>  ^  i4 

A  ^  jsr  =  ^  —  £>} 

fcj=zoz  =  J  («  —  £0 

O  iX  =  is 

2-  3  -  "2  -4  ==  2" 
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i  2TJ?  2/  i^  <0^  =  ii 
^  O  i/  i^(0>  >  is 
r  0  i/  is  (O)  <  is 
<  2/  i^  (O)  =  i3 

L  0  i/  i^  CO>  :>-  i3 

A- ^  ^  —  £>) 

A-  ^  i(a  —  £>) 

o  <  ii  =  is  :=  t=T 

No  r  ea  1- val  ue  cl  r  o  o  t  s 

'fr  ^  =  O  ,  -fr  j=c  =  O 

A  ^  ^  >-  £  hoc.  —  £>  )■ 

A  j=£  ^  £  cx  —  £0 

No  real-valued  roots 

O  <  i3  <  24  <  1 

A-ji  -  < 

A  =  O 

f  0  £f  i^  (0>  <  i3 

1  i^A  is  <  i^(O)  C  i-4 

L  0  i^A  is  (O)  >  2^ 

A  ^  >  ■x  («•  —  EO 

A-  £  <=*  j —  £>} 

INTO  real-valued  roots 

i  3  =:  2-4  = 

7TS  -  O,  TT-J^  -  ODU 

A  ^  ^  -n-  '( «E-  - —  i*) 

A  j=£  ^  !>-  * —  £0 

N  o  real-  val  u  eel  r o  ot  s 

No  r  ea  1— val  ue  d  roots 

4x-b  =  07  -fir  j=£  ^  O 

Optimal  Control  for  Strategic  Active  Defense 
against  Non-strategic  (Fixed)  Attack: 

infinite-time  horizon  optimal  control  (defender  can  use  advanced  tools  if  needed) 


When  the  defender  “occupies”  less  than  i1  portions  of  nodes,  the 
defender  should  give  up  (active  defense)  and  lim^oo  is{t)  =  0 
Cybersecurity  meaning:  incorporate  other  defenses! 


Optimal  Control  for  Strategic  Active  Defense 
against  Non-strategic  (Fixed)  Attack: 

infinite-time  horizon  optimal  control  (defender  can  use  advanced  tools  if  needed) 


When  the  defender  “occupies”  more  than  i1  but  less  than  i2  portions  of 
nodes,  the  defender  should  users  its  best  active  defense  tools  and 

lim  t-xsoM*)  =  *2 
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Optimal  Control  for  Strategic  Active  Defense 
against  Non-strategic  (Fixed)  Attack: 

infinite-time  horizon  optimal  control  (defender  can  use  advanced  tools  if  needed) 


When  the  defender  “occupies”  more  than  i2  portions  of  nodes,  there  is  a 
sort  of  diminishing  return  in  active  defense  (i.e.,  pursuing  “good  enough” 
security  instead)  and  limt-H*,  iB(t)  =  i2  63 


Optimal  Control  for  Strategic  Active  Defense 
against  Non-strategic  (Fixed)  Attack: 

infinite-time  horizon  optimal  control  (defender  can  use  advanced  tools  if  needed) 

an  intermediate 


When  the  defender  “occupies”  exactly  i1  or  i2  portions  of  nodes,  there  is 
a  specific  way  of  launching  active  defense  (based  on  parameters)  and 
iB(t)=i0(t)  for  any  t  >  0.  64 


Nash  Equilibrium  for  Strategic  Active 
Defense  against  Strategic  Attack: 

attacker  more  unwilling  to  expose/use  its  0-day  (new)  attack  tools 


When  the  defender  “occupies”  less  than  i1  portions  of  nodes,  the  NE 
strategy  is  that  both  attacker  and  defender  use  minimal  attack/defense 
power.  This  leads  to  iB(t)=i0(t)  for  any  t  >  0.  65 


Nash  Equilibrium  for  Strategic  Active 
Defense  against  Strategic  Attack: 

attacker  more  unwilling  to  expose/use  its  O-day  (new)  attack  tools 

an  intermediate 


When  defender  “occupies”  >i1  but  <  i3  portions  of  nodes,  NE  strategy  is: 
defender  and  attacker  use  maximal  active  defense/attack  until  reaching 
iB(t)=i3.  After  reaching  it,  both  maintain  maximal  attack/defense  pow#. 


Nash  Equilibrium  for  Strategic  Active 
Defense  against  Strategic  Attack: 

attacker  more  unwilling  to  expose/use  its  O-day  (new)  attack  tools 

an  intermediate 


When  defender  “occupies”  more  than  i3  but  less  than  i4  portions  of 
nodes,  both  defender  and  attacker  launch  their  maximal  attack/defense 
power.  This  results  in  iB(t)=i0(t)  for  any  t  >  0.  1 


Nash  Equilibrium  for  Strategic  Active 
Defense  against  Strategic  Attack: 

attacker  more  unwilling  to  expose/use  its  0-day  (new)  attack  tools 

an  intermediate 


When  defender  “occupies”  >i2  but  <  i4  portions  of  nodes,  NE  strategy  is:  defender 
should  launch  maximal  active  defense  but  attacker  launches  minimal  attacks  until 
reaching  iB(t)=i2-  After  reaching  it,  both  maintain  maximal  attack/defense  power. 68 


Nash  Equilibrium  for  Strategic  Active 
Defense  against  Strategic  Attack: 

attacker  more  unwilling  to  expose/use  its  O-day  (new)  attack  tools 


When  the  defender  “occupies”  more  than  i2  portions  of  nodes,  both 
attacker  and  defender  use  minimal  attack/defense  power.  This  leads  to 
iB(t)=i0(t)  for  any  t  >  0.  69 


Roadmap 


□  Vision  for  Cybersecurity  Dynamics  Foundation 

□  Example  Results  Towards  Fulfilling  the  Vision 
♦>  Limitation  of  Preventive  &  Reactive  Defense 

❖  Overcoming  the  Limitation  w /  Active  Defense 

❖  Optimizing  Active  Defense 

□  Challenges  Ahead:  Tackling  Technical  Barriers 
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Challenges  Ahead  for  Thrust  I 

Systematic  theory  of  cybersecurity  dynamics  (e.g.,  optimal 
allocation  of  preventive,  reactive,  active,  proactive,  adaptive 
defense),  while  overcoming  inherent  technical  barriers 

□  Scalability  barrier:  exponentially  many  states 

□  Dependence  barrier:  dependent  random  variables 

□  Nonlinearity  barrier:  highly  nonlinear  systems 

□  Dynamics  barrier:  dynamic  parameters  and  structures 

□  Nonequilibrium  barrier:  equilibrium  behavior  not  suffici. 
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Challenges  Ahead  for  Thrust  II 


This  thrust  deals  with: 

□  Obtaining  parameters  in  practice 

□  Validating  assumptions 

□  Building  tools  for  use  in  practice 

□  Bridging  the  theory-practice  gap 
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Challenges  Ahead  for  Thrust  III 


This  thrust  deals  with: 

□  Resolution  barrier:  Unified  knowledge 
crossing  macroscopic,  mesoscopic  and 
microscopic  levels  of  abstraction 

□  Possibly  others 


73 


Key  to  Realizing  the  Vision 


Need  close  collaborations: 

□  Cross  multiple  disciplines  (kinds  of  math  etc.) 

□  Cross  multiple  sub-disciplines  within  CS 

□  Cross  the  various  security  sub-fields 

I  myself  am  looking  forward  to  such  collaborations. 

We  also  need  to  foster  a  research  community  — 
HotSoS  is  a  good  starting  point! 
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To  students:  Exciting  time  to  do 
cybersecurity  research 
(modeling  and  mechanism  alike)! 

Thanks!! 


Questions  /  Comments? 
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Science  of  Cybersecurity  Is  NOT  Applied  X 


The  elementary  entities  of  science  X  obey  the  laws  of  science 
Y,  but  science  X  is  not  “just  applied  V." 


X 

Y 

Solid  state  or  many-body  physics 

Elementary  particle  physics 

Chemistry 

Many-body  physics 

Molecular  biology 

Chemistry 

Cell  biology 

Molecular  biology 

Psychology 

Physiology 

Social  science 

Psychology 

[P.  Anderson.  More  is  different.  Science,  Vol.  177,  No.  4047, 
August  4,  1972,  pp  393-6.] 
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Appendix  B 


Cybersecurity  Dynamics* 


Shouhuai  Xu 

Department  of  Computer  Science 
University  of  Texas  at  San  Antonio 
shxu@cs.utsa.edu 


ABSTRACT 

We  explore  the  emerging  field  of  Cybersecurity  Dynamics ,  a  can¬ 
didate  foundation  for  the  Science  of  Cyber  security. 


emerging  field,  called  Network  Science,  would  play  a  fundamental 
role  in  cybersecurity  dynamics  (as  a  supporting  technology).  From 
this  perspective,  a  vision  related  to  cybersecurity  dynamics  was  re¬ 
cently  independently  explored  by  Kott  [6]. 


Categories  and  Subject  Descriptors 

D.4.6  [Security  and  Protection] 

General  Terms 

Security,  Theory 

Keywords 

Cybersecurity  dynamics,  security  model,  security  analysis 

1.  THE  CONCEPT 

In  the  course  of  seeking  fundamental  concepts  that  would  drive 
the  study  of  cyber  security  for  the  many  years  to  come  —  just  like 
how  concepts  such  as  confidentiality,  integrity  and  availability  have 
been  driving  the  study  of  security  for  decades  —  the  idea  of  cy¬ 
bersecurity  dynamics  emerged.  Intuitively,  cybersecurity  dynamics 
describes  the  evolution  of  global  cybersecurity  state  as  caused  by 
cyber  attack-defense  interactions.  Figure  1  illustrates  the  evolu¬ 
tion  of  cybersecurity  state  of  a  toy  cyber  system  that  has  six  nodes, 
which  can  represent  computers  (but  other  resolutions  are  both  pos¬ 
sible  and  relevant).  In  this  example,  a  node  may  be  in  one  of  two 
states,  secure  (green  color)  or  compromised  (red  color);  a  secure 
node  may  become  compromised  and  a  compromised  node  may  be¬ 
come  secure  again,  and  so  on.  A  red-colored  node  u  pointing  to  a 
red-colored  node  v  means  u  successfully  attacked  v.  Even  if  node 
5  is  not  attacked  by  any  other  node  at  time  t±,  it  still  can  become 
compromised  because  of  (e.g.)  an  insider  attack  launched  by  an  au¬ 
thorized  user.  A  core  concept  in  cybersecurity  dynamics  is  attack- 
defense  structure ,  namely  complex  network  capturing  the  relation 
which  computer  can  directly  attack  and/or  defend  for  which  other 
computer  in  a  cyber  system  of  interest.  This  means  that  another 

*A  website  dedicated  to  cybersecurity  dynamics  is  available  at 
http : / / www .cs.utsa. edu/~shxu/ socs/ 


Permission  to  make  digital  or  hard  copies  of  part  or  all  of  this  work  for  personal  or 
classroom  use  is  granted  without  fee  provided  that  copies  are  not  made  or  distributed 
for  profit  or  commercial  advantage  and  that  copies  bear  this  notice  and  the  full  citation 
on  the  first  page.  Copyrights  for  third-party  components  of  this  work  must  be  honored. 
For  all  other  uses,  contact  the  Owner/Author. 

Copyright  is  held  by  the  owner/author(s). 

HotSoS  ’14,  April  08  -  09  2014,  Raleigh,  NC,  USA 
ACM  978-1-4503-2907-1/14/04. 
http://dx.doi.org/10.1145/2600176.2600190 
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Figure  1:  Illustration  of  cybersecurity  dynamics  in  a  toy  cyber¬ 
system,  which  has  six  nodes  (denoted  by  1, . . . ,  6)  whose  states 
evolve  over  time  as  caused  by  cyber  attack-defense  interactions. 
A  node  has  two  states:  secure  (green  color)  and  compromised 
(red  color).  Dashed  arrows  represent  successful  attacks. 

Cyber  security  dynamics  can  serve  as  a  foundation  for  the  Sci¬ 
ence  of  Cyber  security  because  of  the  following.  First,  cyber  attacks 
are  inevitable  and  defenders  need  to  know  the  dynamic  cybersecu¬ 
rity  states  so  as  to  manage  the  risk  (e.g.,  using  appropriate  threshold 
cryptosystems  or  Byzantine  fault-tolerance  schemes).  Cybersecu¬ 
rity  dynamics  offers  natural  security  metrics  such  as:  What  is  the 
probability  that  a  node  is  compromised  at  time  tl  What  is  the  (ex¬ 
pected)  number  of  nodes  that  are  compromised  at  time  tl  Such 
basic  metrics  can  be  used  to  define  more  advanced  security/risk 
metrics  for  decision-making  purposes.  Together  they  can  be  used 
to  characterize  the  global  effect  of  deploying  some  defense  tools 
or  mechanisms.  Second,  cybersecurity  dynamics  naturally  leads 
to  the  notion  of  macroscopic  cybersecurity ,  where  the  model  pa¬ 
rameters  abstract  (e.g.)  the  power  of  microscopic  attack/defense 
mechanisms  and  security  policies.  The  distinction  between  macro¬ 
scopic  security  and  microscopic  security  might  help  separate  se¬ 
curity  services  (i.e.,  management-  or  operation- oriented)  from  se¬ 
curity  techniques  (i.e.,  design-oriented).  Third,  cybersecurity  dy¬ 
namics  offers  an  overarching  framework  that  can  accommodate  de¬ 
scriptive,  prescriptive,  and  predictive  cybersecurity  models,  which 
can  be  systematically  studied  by  using  various  mathematical  tech¬ 
niques  (broadly  defined).  For  example,  we  can  characterize  the 
cyber  security  phenomena  exhibited  by  the  dynamics  and  pin  down 


the  factors/law s  that  govern  the  evolutions. 

Cybersecurity  dynamics  vs.  biological  epidemic  dynamics.  Re¬ 
searchers  have  been  trying  to  design  and  build  computer  systems 
that  can  mimic  the  elegant  properties  of  biological  (especially  hu¬ 
man  body)  systems,  through  concepts  such  as  Artificial  Immune 
System  [4].  Not  surprisingly,  the  concept  of  cybersecurity  dynam¬ 
ics  is  inspired  by  epidemic  models  of  biological  systems  [9].  The 
concept  is  also  inspired  by  models  of  interacting  particle  systems 

[7],  and  by  the  microfoundation  in  economics  (i.e.,  macroeconomic 
parameters  are  ideally  derived  from,  or  the  output  of,  some  microe¬ 
conomic  models)  [5].  Furthermore,  the  concept  naturally  general¬ 
izes  the  many  models  that  are  scattered  in  a  large  amount  of  lit¬ 
erature  in  venues  including  both  statistical  physics  (e.g.,  [10])  and 
computer  science  (e.g.,  [1,  13,  14]).  However,  as  we  will  discuss 
in  Section  3,  fully  understanding  and  managing  cybersecurity  dy¬ 
namics  requires  us  to  overcome  several  technical  barriers. 


2.  RESEARCH  ROADMAP 

In  order  to  fulfill  the  envisioned  cybersecurity  dynamics  founda¬ 
tion  for  the  Science  of  Cybersecurity,  we  suggest  a  research  roadmap 
that  consists  of  three  integral  thrusts. 

Thrust  I:  Building  a  systematic  theory  of  cybersecurity  dynam¬ 
ics.  The  goal  is  to  understand  cybersecurity  dynamics  \mfirst- 
principles  modeling,  by  using  as-simple-as-possible  models  with 
as-few-as-possible  parameters  and  making  as-weak-as-possible  as¬ 
sumptions.  Such  models  aim  to  derive  macroscopic  phenomena 
or  properties  from  microscopic  cyber  attack-defense  interactions. 
These  studies  can  lead  to  cybersecurity  laws  of  the  following  kind: 
What  is  the  outcome  of  the  interaction  between  a  certain  class  of 
cyber  defenses  (including  policies)  and  a  certain  class  of  cyber  at¬ 
tacks?  The  models  may  assume  away  how  model  parameters  can 
be  obtained  (obtaining  the  parameters  is  the  focus  of  Thrust  II),  as 
long  as  they  are  consistent  with  cyber  attack  and  defense  activi¬ 
ties.  Such  characterization  studies  might  additionally  address  the 
following  question:  In  order  to  obtain  a  certain  kind  of  results,  cer¬ 
tain  model  parameters  must  be  provided  no  matter  how  costly  it  is 
to  obtain  them.  Early- stage  investigations  falling  into  this  Thrust 
include  [10,  1,  2,  3,  11,  12,  8,  13,  15,  14], 

Thrust  II:  Data-,  policy-,  architecture-  and  mechanism-driven 
characterization  studies.  The  goal  is  to  characterize  security  poli¬ 
cies,  architectures  and  mechanisms  from  the  perspective  of  cyber¬ 
security  dynamics.  These  studies  allow  us  to  extract  model  pa¬ 
rameters  for  practical  use  of  the  cybersecurity  insights/laws  discov¬ 
ered  by  Thrust  I,  so  as  to  guide  real-life  cyber  operation  decision¬ 
making.  Data-driven  cybersecurity  analytics  is  relevant  to  all  these 
studies.  For  example,  by  studying  the  notion  of  stochastic  cyber 
attack  process ,  it  is  possible  to  conduct  “gray-box"  (rather  than 
“black-box")  predictions  [16],  which  can  serve  as  early  warning  in¬ 
formation  and  guide  the  provisioning  of  resources  for  cost-effective 
defense.  This  Thrust  might  lead  to  the  development  of  cybersecu¬ 
rity  instruments,  which  can  measure  useful  attributes  —  like  the 
various  kinds  of  medical  devices  that  can  measure  various  health 
attributes/parameters  of  human  body. 

Thrust  III:  Bridging  gaps  between  Thrusts  I  &  II.  The  goal  is 
to  bridge  the  gaps  between  Thrust  I  and  Thrust  II.  This  Thrust  can 
inform  Thrust  II  what  parameters  used  in  the  models  of  Thrust  I 
are  necessary  to  obtain,  no  matter  how  costly  it  is  to  obtain  them. 
On  the  other  hand,  this  Thrust  can  also  inform  Thrust  I  that  certain 
other  parameters  may  be  easier  to  obtain  in  practice,  and  therefore 
alternate  models  may  be  sought  instead.  Research  on  experimental 
cybersecurity ,  in  lieu  of  experimental  physics,  will  be  a  main  theme 
of  this  Thrust. 


3.  TECHNICAL  BARRIERS 

In  order  to  fulfill  the  envisioned  cybersecurity  dynamics  founda¬ 
tion  for  the  Science  of  Cyber  security,  we  need  to  overcome  several 
technical  barriers  that  are  believed  to  be  inherent  to  the  problem  of 
cybersecurity  (i.e.,  they  cannot  be  bypassed)  and  do  not  have  coun¬ 
terparts  (at  least  to  a  large  extent)  in  the  inspiring  disciplines  men¬ 
tioned  above.  Representatives  are:  (a)  The  scalability  barrier:  Sup¬ 
pose  there  are  n  nodes,  where  each  node  has  2  states.  Then,  there 
are  2n  global  states.  This  state- space  explosion  prevents  simple 
treatment  of  stochastic  processes,  (b)  The  nonlinearity  barrier:  The 
probability  that  a  computer  is  compromised  would  depend  on  the 
states  of  other  computers  in  a  (highly)  nonlinear  fashion.  This  can 
render  many  analysis  techniques  useless,  (c)  The  dependence  bar¬ 
rier:  The  states  of  computers  are  dependent  upon  each  other  (e.g., 
they  may  have  the  same  software  vulnerability),  and  thus  we  need 
to  accommodate  such  dependence  between  them,  (d)  The  struc¬ 
tural  dynamics  barrier:  The  heterogeneous  attack-defense  complex 
network  structures  may  be  dynamic  at  a  time  scale  that  may  or  may 
not  be  the  same  as  the  time  scale  of  the  cybersecurity  dynamics,  (e) 
The  non- equilibrium  (or  transient  behavior)  barrier:  It  is  important 
to  understand  both  the  equilibrium  states  and  the  dynamics  before 
it  converges  to  the  equilibrium  distribution/state  (if  it  does  at  all). 
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1.  INTRODUCTION 

The  human-created  cyberspace  is  a  very  large-scale  complex  sys¬ 
tem  of  cyber  systems.  Its  security  properties  are  difficult  to  under¬ 
stand  and  characterize.  We  attribute  this  difficulty  to  its  complex¬ 
ity ,  a  manifestation  of  which  is  the  so-called  emergent  behavior 
in  Complexity  Science  [6].  Although  there  is  no  universally  ac¬ 
cepted  definition  of  emergent  behavior  [11],  the  basic  idea  is  intu¬ 
itive.  The  simplest  example  of  emergent  behavior  may  be  the  well 
known  “1  +  1  >  2"  effect.  For  our  purpose,  it  is  sufficient  to  use 
the  following  informal  definition  of  emergent  behavior  in  cyberse¬ 
curity  domain. 

Definition  1.  A  security  property  of  a  cybersystem  exhibits 
emergent  behavior  if  the  property  is  not  possessed  by  the  underly¬ 
ing  lower-level  components  of  the  cybersystem. 

A  direct  consequence  of  emergent  behavior  is  that  at  least  some 
security  properties  cannot  be  understood  by  solely  considering  the 
lower-level  components;  instead,  we  must  explicitly  consider  the 
interactions  between  the  lower-level  components.  Although  emer¬ 
gent  behavior  of  cybersystems  has  been  discussed  from  a  function 
or  constructional  perspective  [10,  7],  emergent  behavior  in  cyber¬ 
security  is  not  systematically  examined  until  now. 
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2.  EMERGENT  BEHAVIOR 

We  demonstrate  emergent  behavior  in  cybersecurity  through  three 
examples. 

Example  1:  Emergent  behavior  exhibited  by  cybersecurity  dy¬ 
namics.  We  refer  to  [15]  for  an  exposition  of  the  emerging  field  of 
cyber  security  dynamics.  In  order  to  explain  how  emergent  behav¬ 
ior  is  exhibited  by  cybersecurity  dynamics,  we  consider  the  perhaps 
simplest  model  [4].  For  our  purpose,  it  suffices  to  consider  two 
cybersystems  that  respectively  induce  attack-defense  structures  (or 
graphs)  Gi  =  (Vi,  Ef),  where  V%  is  the  node  (vertex)  set  and  E\ 
is  the  edge  set  for  i  =  1,2.  Fet  Ai  (G)  denote  the  largest  eigen¬ 
value  of  the  adjacency  matrix  of  a  graph  G ,  p  denote  the  defense 
capability  in  detecting  and  cleaning  compromised  nodes  (e.g.,  the 
probability  that  a  compromised  node  gets  cleaned  at  a  time  step), 
and  7  denote  the  attack  capability  in  compromising  secure  nodes 
(e.g.,  the  probability  that  this  event  occurs  over  an  edge  at  a  time 
step).  For  simplicity,  suppose  Gi  is  a  complete  graph  with  m 
nodes  for  i  —  1,2.  It  is  well  known  that  Ai(Ga)  =  m  —  1  and 
Ai (G2)  =ri2  —  l.  For  i  —  1,2,  if  A\{Gi)  <  /3/ 7,  the  attacks 
will  eventually  be  wiped  out  in  the  cybersystem  that  induces  Gi ;  if 
Ai  (Gi)  >  /3/ 7,  the  attacks  cannot  be  wiped  out  [4]. 

Now  we  consider  a  new  cyber  system  that  is  obtained  by  inter¬ 
connecting  the  aforementioned  two  cybersy  stems  that  induced  G 1 
and  G2 •  Consider  the  simplest  case  that  any  node  can  attack  any 
other  node  in  the  interconnected  cybersystem,  which  effectively  in¬ 
duces  attack-defense  structure,  a  complete  graph,  £+,2  with  m+712 
nodes  and  Ai(Gi,2)  =  m  +  ri2  —  1.  In  many  (if  not  all)  cases,  the 
defense  capability  /3'  and  the  attack  capability  7'  associated  to  Gi, 2 
are  respectively  the  same  as  the  defense  capability  f3  and  the  attack 
capability  7  associated  to  G\  and  G+  Since  Ai(Gi)  <  P/ 7  for 
i  =  1,2  do  not  imply  Ai(Gi,2)  <  P'  M'  =  PM,  we  conclude 
that  the  attacks  can  be  wiped  out  in  the  two  underlying  compo¬ 
nent  cybersystems,  but  cannot  be  wiped  out  in  the  interconnected 
cybersystem  as  long  as  Ai(Gi,2)  >  P/ 7.  This  phenomenon  can 
be  naturally  extended  to  more  sophisticated  settings  (e.g.,  [17,  16, 
18,  19]).  This  implies  that  cybersecurity  dynamics  cannot  be  de¬ 
termined  by  looking  at  the  component  cybersystems  alone.  Rather, 
we  need  to  look  into  how  the  component  cybersystems  interact  with 
each  other. 

Example  2:  Emergent  behavior  exhibited  by  security  proper¬ 
ties  in  the  extended  trace-property  framework.  In  the  field  of 
program  verification,  it  was  known  that  specifications  that  are  suf¬ 
ficient  for  sequential  programs  are  not  sufficient  for  concurrent  pro¬ 
grams.  For  dealing  with  concurrent  programs,  Famport  proposed 
the  safety-liveness  framework  of  trace  properties  [12].  Intuitively, 
a  trace  is  a  finite  or  infinite  sequence  of  states  corresponding  to  an 
execution  of  a  program.  A  trace  property  is  a  set  of  traces  such 


that  every  trace,  in  isolation ,  satisfies  the  same  predicate.  A  safety 
property  says  that  no  “bad  thing"  happens  during  the  course  of  a 
program  execution,  while  a  liveness  property  says  that  “good  thing" 
will  eventually  happen  during  the  course  of  a  program  execution. 
Both  safety  and  liveness  are  trace  properties.  A  beautiful  result  is 
that  every  trace  property  is  the  intersection  of  a  safety  property  and 
a  liveness  property  [12,  1]. 

Given  the  above  history,  it  is  appealing  to  specify  a  cybersystem 
as  a  set  of  traces,  and  therefore  as  a  subset  of  a  security  property 
that  is  also  specified  as  a  set  of  traces.  Unfortunately,  security  prop¬ 
erties  are  not  trace  properties  as  shown  in  [8,  5,  14]  and  refreshed 
below.  First,  noninterference  is  a  security  property  that  captures  the 
intuition  that  system  security  is  preserved  as  long  as  high-clearance 
(or  high-privilege)  processes  cannot  influence  the  behavior  of  low- 
clearance  (low-privilege)  processes.  It  is  no  trace  property  because 
it  cannot  be  verified  without  examining  the  other  traces.  Second, 
information-flow  captures  some  kind  of  correlation  between  the 
values  of  variables  in  multiple  traces.  It  is  no  trace  property  be¬ 
cause  it  cannot  be  verified  by  examining  each  trace  alone.  Third, 
average  service  response  time  is  an  availability  property.  It  is  no 
trace  property  because  it  depends  on  the  response  time  in  all  traces. 

In  an  effort  to  overcome  the  above  limitation  of  the  safety-liveness 
framework,  Clarkson  and  Schenider  extended  the  notion  of  trace 
properties  to  the  notion  of  trace  hyperproperties  [5].  Basically,  hy¬ 
perproperties  are  sets  of  trace  properties.  In  parallel  to  the  safety- 
liveness  framework,  a  hyperproperty  is  also  the  intersection  of  a 
safety  hyperproperty  and  a  liveness  hyperproperty.  It  is  now  known 
that  information- flow,  integrity  and  availability  can  be  hypersafety 
or  hyperliveness  [5].  Exactly  because  hyperproperties  capture  that 
the  verification  procedure  must  examine  across  multiple  traces,  which 
may  accommodate  interactions  between  the  component  systems, 
we  say  that  hyperproperties  exhibit  the  emergent  behavior.  This 
means  that  we  need  to  study  the  emergent  behavior  in  cybersecu¬ 
rity,  which  may  explain  why  it  took  so  long  to  realize  the  impor¬ 
tance  of  hyperproperties. 

Example  3:  Emergent  behavior  exhibited  by  cryptographic  se¬ 
curity  properties.  Cryptographic  secure  multiparty  computation 
allows  multiple  parties  Pi , . . . ,  Pm,  each  having  a  respective  secret 
x\, . . . ,  Xm,  to  compute  a  function  f(x i , . . . ,  Xm)  such  that  no  in¬ 
formation  about  the  xfs  is  leaked  except  for  what  is  implied  by  the 
output  of  the  function.  This  manifests  a  confidentiality  property.  A 
beautiful  feasibility  result  is  that  any  polynomial-time  computable 
function  /(•,...,•)  can  be  securely  computed  [20, 9],  as  long  as  the 
protocol  executes  in  isolation  (the  stand-alone  setting)  and  trapdoor 
permutations  exist.  When  such  cryptographic  protocols  are  used  as 
building-blocks  in  larger  applications/systems,  they  may  execute 
concurrently  (rather  than  in  isolation).  This  leads  to  a  natural  ques¬ 
tion:  Are  the  cryptographic  protocols,  which  are  provably  secure 
when  executed  in  isolation,  still  secure  when  they  are  concurrently 
called  by  larger  applications/systems?  Intuitively,  concurrent  exe¬ 
cutions  offer  the  attacker  the  leverage  (for  example)  to  schedule  the 
messages  in  a  way  that  is  to  the  attacker’s  advantage,  which  does 
not  have  a  counterpart  in  the  stand-alone  setting. 

Quite  similar  to  what  happened  in  the  field  of  program  verifica¬ 
tion,  where  specific  properties  (e.g.,  partial  correctness  and  mutual 
exclusion)  were  investigated  before  the  introduction  of  the  unifying 
safety-liveness  framework  [12],  the  same  kind  of  development  was 
made  in  the  field  of  cryptographic  protocols.  That  is,  specific  cryp¬ 
tographic  security  properties  were  investigated  before  the  introduc¬ 
tion  of  the  unifying  notion  called  universal  composability  [2],  or 
its  equivalent  (but  perhaps  more  intuitive)  version  called  concur¬ 
rent  general  composition  (arbitrarily  many  instances  run  possibly 
together  with  arbitrary  other  protocols)  [13].  It  is  now  known  that 


there  are  cryptographic  multiparty  computation  protocols,  which 
are  provably  secure  when  executed  in  isolation,  but  are  not  secure 
when  they  are  concurrently  called  by  larger  applications/systems. 
For  example,  there  exist  classes  of  functions  that  cannot  be  com¬ 
puted  in  the  universally  composably  secure  fashion  [3].  In  other 
words,  these  functions  can  be  securely  computed  by  running  some 
cryptographic  protocols  in  isolation,  but  cannot  be  securely  com¬ 
puted  when  the  protocols  execute  concurrently.  In  order  to  make 
cryptographic  multiparty  computation  protocols  secure  when  they 
are  used  as  building-blocks  for  constructing  larger  cybersystems, 
we  need  to  make  extra  assumptions,  such  as  that  majority  of  the 
parties  Pi, ... ,  Pm  are  not  compromised  [2] .  This  manifests  emer¬ 
gent  behavior.  (It  is  interesting  to  note  that  whether  or  not  it  is 
reasonable  to  assume  that  majority  of  the  parties  are  not  compro¬ 
mised  may  be  addressed  by  the  cybersecurity  dynamics  framework 
[15].) 
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